1. 首页
  2. 问答
  3. 如何检查用户是否存在于mysql数据库vb.net

如何检查用户是否存在于mysql数据库vb.net

2012-08-07 165 views
1

我有一些代码可以从mysql数据库中读取,但我只是想知道如何修改这个以查看表中是否存在用户?如何检查用户是否存在于mysql数据库vb.net

感谢

Private Sub GetDBData() 
    Try 
     'prepare connection query 
     strQuery = "SELECT users.Username, users.Password " & _ 
     "FROM users " & _ 
     "WHERE Username='User'" 
     SQLCmd = New MySqlCommand(strQuery, dbCon) 
     'open db and start query 
     dbCon.Open() 
     DR = SQLCmd.ExecuteReader 
     While DR.Read 
      MysqlData.Text = MysqlData.Text & DR.Item("Username") & Space(10) & DR.Item("Password") & vbCrLf 
     End While 
     'done so closing db 
     DR.Close() 
     dbCon.Close() 

    Catch ex As Exception 
     MessageBox.Show(ex.Message) 
    End Try 
End Sub

来源

2012-08-07 user1244772

+2

一目了然,请使用参数化SQL。您已经开放了SQL注入。 – Lion 2012-08-07 22:15:44

回答

2

一个简单的方法就是让像下面这样的查询:

SELECT COUNT(*) FROM users WHERE Username='user123';

你运行它,收回其返回值,如果是0,则该用户没有按不存在。如果它是1,那么他存在,如果它大于1,则说明有错(您有多个用户使用相同的用户名)。

来源

2012-08-07 22:16:23 gkaran89

2

我的VB很生锈,但这里有它的要点;

Private Sub GetDBData() 
Try 
    'prepare connection query 
    strQuery = "SELECT users.Username, users.Password " & _ 
    "FROM users " & _ 
    "WHERE Username='User'" 
    SQLCmd = New MySqlCommand(strQuery, dbCon) 
    'open db and start query 
    dbCon.Open() 
    DR = SQLCmd.ExecuteReader 

    If DR.HasRows Then 

     While DR.Read 
      MysqlData.Text = MysqlData.Text & DR.Item("Username") & Space(10) & DR.Item("Password") & vbCrLf 
     End While 
    Else 
     'COMMENT: Your user didn't exist 
    End If 

    'done so closing db 

    'COMMENT: move to a finally() section and check objects are not null before closing 
    DR.Close() 
    dbCon.Close() 

Catch ex As Exception 
    MessageBox.Show(ex.Message) 
End Try

末次

来源

2012-08-07 22:27:29

2

使用commandparameters避免SQL注入。如果您仅通过比较来检查用户名的存在,则创建一个返回布尔值的函数的策略为。以下是基于您的需求的示例代码。

Private Function IsUserExist(userName as string) AS Boolean 

     Dim returnValue as boolean = false 

     strQuery = "SELECT COUNT(*)" 
     strQuery &= "FROM users " 
     strQuery &= "WHERE Username = @xUserName " 

     Using xConn as new MySQLCnnection("connectionStringHere") 
      Using xComm as New MySQLCommand() 
       With xComm 
        .Connection = xConn 
        .CommandText = strQuery 
        .CommandType = CommandType.Text 
        .Parameters.AddWithValue("@xUserName", userName) 
       End With 
       Try 
        xConn.Open() 
        If CInt(xComm.ExecuteScalar()) > 0 Then 
         returnValue = true 
        End If 
       Catch ex as MySQlException 
        MsgBox(ex.Message) 
        returnValue = false 
       Finally 
        xConn.Close 
       End Try 
      End Using 
     End Using 

     return returnValue 
End Sub

来源

2012-08-07 22:43:34

2

修改它?太多错了。 没有使用阻止,异常吞咽和潜在的SQL注入攻击。

喜欢的东西(我不这样做VB,但其基本思想是声音)

Private Function UserExists(argUser As string) As Bool 
    strQuery = "SELECT Username FROM users WHERE Username=?User" 
    Using SQLcmd = New MySqlCommand(strQuery, dbCon) 
    SQLCmd.Parameters.Add("?User",argUser) 
    dbCon.Open() 
    Using reader = SQLCmd.ExecuteReader() 
     return reader.Read() 
    End Using 
    End Using 
End Function

我会实例化一个连接以及不是从。无论您在目前得到它(在使用块)以及如果它是我。

来源

2012-08-07 22:43:50

+0

也许一个愚蠢的问题,但是什么?用户的意思是? – user1244772 2012-08-08 09:58:53

+0

参数化查询有效吗?用户将被替换为SQLCmd.Parameters.Add调用中的value参数,这种方式不会导致您面临SQL注入攻击。 – 2012-08-08 10:14:54

0 
Protected Sub btnlogin_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnlogin.Click 
    Dim myAdapter As New MySqlDataAdapter 
    Dim myCommand As New MySqlCommand 
    Dim myData As MySqlDataReader 
    Dim conn As MySqlConnection = New MySqlConnection("Data Source=localhost;Database=name;User ID=root;Password=pwd;") 

    Dim loginstring As String = "SELECT uname,password,type FROM logindetails WHERE uname = '" + txtuname.Text + "' AND password = '" + txtpwd.Text + "' " 
    Try 
     conn.Open() 
    Catch myerror As MySqlException 'If it fails do this... (i.e. no internet connection, etc.) 
     MsgBox("Error connecting to database. Check your internet connection.", MsgBoxStyle.Critical) 
    End Try 

    myCommand.Connection = conn 
    myCommand.CommandText = loginstring 
    myAdapter.SelectCommand = myCommand 
    myData = myCommand.ExecuteReader 

    If myData.HasRows = 0 Then 
     MsgBox("Invalid Credentials", MsgBoxStyle.Critical) 
    Else 
     Response.Redirect("Adminhome.aspx") 
     MsgBox("Logged in as " & txtuname.Text & ".", MsgBoxStyle.Information) 
    End If 
    conn.Close() 
End Sub

来源

2012-12-21 23:21:13 aby

+0

请不要只提供代码解决方案 – 2012-12-21 23:40:49

相关问题

 相关问题